Header Ads

Insight on Mobile Phone Viruses & Other Malware

Even the most cautious of PC users will have certainly faced at least one instance of virus infection. We all know how frustrating a virus attack can be. Viruses, worms and trojans, under whatever category they’re classified, can cause anywhere from minor irritation to total system failure. Instances of PC virus attacks are fairly common. These days, with mobile devices becoming increasingly similar to fully functional PCs, it makes one wonder whether these devices will be the next to face an epidemic of a virus threat. Turns out they are surely on the target list for malicious code programmers and that we may be on the brink of a widespread virus attack in the near future. A recent research study that appeared in Science magazine had scientists studying human behavioral patterns to find out the reasons behind this and what to expect if such a scenario were to take place. The study revealed that the only type of phone that is susceptible to a virus attack is one that runs an operating system — a Smartphone. Considering that even in these difficult times the growth of smartphones is unstoppable and nearly doubling every year, the time is not far off when we see a full-fledged virus attack.

The virus story so far...

Ever since the iPhone changed our view of smartphones, there has been no stopping this segment. But that doesn’t mean that smartphones weren’t around prior to that. Sometime in 2004 came devices that were able to download applications from the internet and share software with one another through short-range Bluetooth connections; they also had worldwide multimedia messaging service (MMS) communications and memory cards. With these phones came the first mobile phone virus written for the Symbian series 60 OS. It was dubbed Cabir and was a classic proof-of-concept virus, clearly created to prove a point and perhaps claim bragging rights. The first variant of Cabir was not very harmful; it simply replicated itself through Bluetooth and draining the battery was its only malicious intent. Later variants, however, were not so benign and did considerable damage. The transmission mode for Cabir was through Bluetooth. The virus would basically search for other devices that were left in the ‘discoverable’ mode and jump that way from phone to phone. Cabir comes into a phone as a Bluetooth message in the inbox as a caribe.sis file. Opening the file would unleash the virus and soon it starts looking for other devices.

Soon many malicious code writers took a cue from Cabir and began modifying it to make more damaging forms of the virus. The later variants of Cabir and other viruses could completely disable a phone, delete the data on it, turn icons into skulls, or force the device to send costly messages to premium-priced numbers. Soon the number of recorded viruses for mobile phones grew to about a hundred, but mostly on Symbian and Windows Mobile platforms. This growth was very similar to the growth rates of viruses on the PC platform after Brain, the first pc virus, made its appearance.

Soon, by 2006, there were several Trojans doing the rounds. Some of the common mobile Trojans to have attacked mobile phones and smart phones are: SymbOS. Sendtool – a trojan horse that runs on the Symbian operating system. This trojan drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS. PBStealer family of trojans, to other mobile devices via Bluetooth. CDropper is another family of Symbian SIS file trojans that will install Cabir variants into the device. Mainly, this variant makes the menu icons go blank. Commwarrior then emerged on the scene and had its biggest impact in Spain where it infected about 1,00,000 phones in 2006. It infected phones running Nokia’s Symbian series 60 second edition operating system and spread via MMS messages — text messages containing an audio, video or picture file. Certainly an irritant, it drew up large phone bills for users. According to Panda Security, as of 2008, 90.34 per cent of mobile malware targets the Symbian platform, 4.14 per cent Windows Mobile, 3.35 per cent Palm OS, and 2.07 per cent targets J2ME.

Both networks and manufacturers soon realized the impending threat and steps were taken back then to stem the proliferation. Apple for instance, when it launched the iPhone, came up with the App Store so that trojans couldn’t creep in through non-trusted third-party applications. Both Nokia and RIM have followed; creating their own app stores. Yet, people continue to jail break their phones or indiscriminately install any application that could perhaps hold trojans.

We asked Amit Nath, Country Manager, Trend Micro India & SAARC to tell us about the most problematic threat that they’ve encountered so far. He said, “Trend Micro researchers have encountered a fair number of mobile threats in the past two years, but it would be a stretch to call any of them except one anything truly problematic. The one exception we’re referring to is WINCE_INFOJACK, which has similar capabilities to the most dangerous information-stealing malware seen on the desktop. More recently Trend Micro researchers detected malware targeting the Windows Mobile PocketPC. Detected as WINCE_INFOJACK.A, the worm runs on a Windows CE environment and steals information like the serial number, OS version, model, platform, and host’s name then relays it to the malware author. WINCE_INFOJACK.A also changes security settings on the affected phone. The worm originates from an infected memory card on a mobile device or through SMS. In addition, another very recent virus attack was “Curse of Silence” virus. This denial-of-service attack prevents incoming SMSes from reaching the inbox once the user receives a specially formulated text message”.

Phones affected by CurseSMS required a factory reset. Another important virus report of recent times was of the appearance of the first iPhone Trojan – a crude piece of code, with no means of propagation, purportedly written by a twelve year old.

Why isn’t there a big boss virus yet?

Having noted all the outbreaks so far, there has not been a single major catastrophic virus event of the likes of Mellissa or Conficker in the PC world. Why is this so? According to recent research the reason is fragmentation in the market. Viruses will pose a serious threat only once a single mobile operating system’s market share grows sufficiently large. For now, different vendors use different operating systems and so just as compatibility is an issue with applications so it is with viruses. A virus written for one OS will not work on another. A virus friendly eco-system is just what will happen in the near future given the existence of the iPhone OS and strong contender Android. The Palm Web OS is also being hailed as a thoroughbred multitasker. The impending popularity and proliferation of these operating systems will likely bring in the era of wide-spread mobile viruses. Yet another issue regarding the spread of viruses needs to be addressed here. The transmission mode or vectors. So far we have seen viruses that have spread through Bluetooth primarily. This is also a reason that no virus outbreak is very widespread. For a virus to be spread through Bluetooth it needs to be within a 10 to 30 meter radius of another Bluetooth enabled phone. MMS proliferating viruses are not so restricted in their spread. Like computer viruses they spread using the address book of the device and a network connection. The bad news is that hybrid viruses are also conceivable and these will pose the most significant threat.

Blue Jacking

The term BlueJacking as it turns out is a misnomer. What is commonly believed by the general public is that BlueJacking is a way to take control of another phone using Bluetooth. Giving rise to the wrong belief that the word is an amalgam of Bluetooth and hijacking. This concept in fact is known as BlueSnarfing. Bluejacking actually is simply sending messages via Bluetooth to other phones. Most commonly people would rename a contact in their phone to something like “You have been Bluejacked” and send it as a Vcard to nearby phones. More mischievous and startling messages would be something like “Hey there cutie, I like your black top”. The technique is often used as a guerrilla marketing tool. The term is supposed to have originated when a Malaysian IT consultant used his phone to advertise a particular phone brand. The name was a combination of the words Bluetooth and ajack – his username on an online fan forum. BlueSnarfing on the other hand has a more malicious intent. It is a technique that could be used to copy sensitive data from a victim’s phone as well as take complete control of their devices to make calls. This was done by exploiting a security flaw in the Bluetooth standard of earlier phones that has since been rectified.

What does the future hold?

Thieves will always go where there is money. Now that people have begun transacting business on their phones there is sure to be a surge in spyware written for mobile platforms. Around the end of last year a new report on emerging threats from the Georgia Tech Information Security Center mentioned that botnets are going to hit cell phones by mid-2009. Even if operating systems are different, browsers are still common. You have Opera Mini on most Java and Symbian phones while Windows Mobile comes with Internet Explorer; on Apple’s iPhone you have Safari. All of these browsers have vulnerabilities that can be exploited, although not always on the mobile version. Now that people have started transacting on their mobile phones, we will see more instances of data theft than denial of service (DoS) attacks.

Attack vectors of the future

In virus parlance, a vector refers to the mode of attack. For example, an infected USB drive is a common vector for desktop viruses. In the case of mobile phones, there are several virus vectors too. And more are likely to emerge as we enter the 3G era. Some of the attack vectors for mobile phones could be:

  1. Peer-to-peer connectivity – this includes Bluetooth and infrared. Bluetooth is used as a vector by most viruses.
  2. Synchronization with a PC – PCs are more susceptible to viruses. So, if a phone virus has crept in on one and is lying dormant, it can easily get transmitted when the phone is connected to the PC.
  3. Data services – this includes MMS, SMS, WAP and other packet service connectivity. You click a link or download an application from a non-trusted source.
  4. Wireless LAN – this will be the same as getting a virus across the internet.
  5. Telephony – instances of such viruses have not occurred yet, but perhaps some ingenious method can be developed by malicious coders.
  6. Physical media – Commwarrior has been known to infect physical memory media such as SD cards or memory sticks.
How do you protect yourself?

Prevention is the key. Most big names in antivirus software such as Trend Micro, McAfee, FSecure and Kaspersky have security solutions for mobile phones. In fact, some suggest that much of the hype and panic about mobile viruses has been raised by AV companies. So the obvious question is – do you need an antivirus solution for your mobile phone? The answer to this is ambiguous. Firstly, in the case of mobile viruses spread through MMS, they have to go through the network operator’s servers. With malware filters, the threat can be curbed from proliferating. However, for viruses spread through Bluetooth, it’s best to have protection native to your phone. Most of these antiviruses have trial versions, with a full version starting at $20 upwards to around $50 a year.

Apart from antivirus packages, disinfection tools designed for specific viruses are also available. Such tools can detect and remove a particular type of virus. FSecure had a disinfection tool for both Cabir and CommWarrior. FortiCleanUp Tool from FortiGuard is also another clean up tool that is available free and offers the removal of most known viruses. Other packages such as NetQin and Commander are also available for certain platforms. But the efficacy of these will only be tested when more sophisticated viruses surface. Spybot Search and Destroy is also available for Windows Mobile, Windows CE and Symbian UIQ 2.

Apart from installing antivirus programs there are certain simple precautions that you can take. The most basic precaution is to keep your phone in the hidden mode. You obviously lessen the chances of virus attacks if the phone is not visible to worms at all. Activate Bluetooth only when needed. Other Bluetooth precautions include devices pairing in secured areas and choosing a strong PIN. Some of the same rules of the web apply to the mobile world. Be extremely cautious when opening attachments to messages or emails; be it from known or unknown sources. Keep an eye on file extensions; an alarm should always ring in your head when an innocuous extension such as MP3 or JPG asks you for an application install dialogue box. Another rule of thumb that you must follow is – always choose no. Most of the Bluetooth viruses ask you to install a SIS file. In most cases, simply clicking NO would avert the problem all together. Although this may restrict the applications you install on your phone, it’s best to stick to applications from trusted sources to lower the risk of infection.

Perhaps manufacturers and the powers that be should take a cue from what happened with desktops and provide for security from the word go, instead for waiting for malicious code to be developed first and then go about countering it. In conclusion we leave you with the boy scouts motto – be prepared.